[Tierzero]

M P L S arose from the need to create private wide area networks that scaled easily and economically. Before MPLS, the only way to connect remote sites was to do a star and hub topology and buy expensive point-to-point links.

Internet was an alternative, but it was complex and not secure. Before long, people developed firewalls with site-to-site VPN technology that allowed them connect offices via the internet using IPsec encryption. Aside from the expensive hardware, you almost needed a degree in rocket science to design and deploy it. While things were still complex, M P L S started to become mainstream, allowing remote sites to connect to a local provider that would then “Label Switch” traffic to another remote site. The price was about the same as a typical Internet link and accomplished the private connection between sites that managers needed.

Since MPLS was not supported by all carriers and not all carriers provided service nationwide or even worldwide, MPLS suffered from “gaps” in geographical coverage. For example, if you had a Verizon connection in Los Angeles and an Altel connection in New York, and both offered MPLS, you still couldn’t really deploy M P L S because the system required the same carrier covering each end. Consequently, managers had to rely on IPSEC tunnels, which require expensive firewall equipment at each site, (like Cisco PIX, Netscreen, Checkpoint, or some other firewall). Typically consultants had to be hired to pull all of this together. So MPLS and IPsec were “competing” technologies, both providing viable solutions, but each with their own drawbacks.

The Tipping Point

Even today I still hear a bias for one solution over the other among fellow IT eggheads. Most are adamant that M P L S is the way to go and IPsec is over. They say that many buyers would pay any price to dump their IPSEC equipment so they could migrate to an M P L S backbone. There’s a tipping point at work here, partly influenced by all the industry magazines claiming MPLS to be the best technology, or running stories about Fortune 500 companies switching over and saving a bundle. While much of the hype is true, the process of migrating to M P L S takes a little work. While it's my job to make it as headache free as possible for you, I still say the decision to migrate requires a thorough analysis of your current situation and a proper understanding of the pros and cons.

M P L S vs IPsec

The most common reason for switching to MPLS is to simplify your network. Most IPSEC based networks consist of a main site, backup main site, and multiple remote sites requiring extensive design, planning and rollout. Network design can soak up considerable resources. Equipment needs to be purchased, routing tables need to be populated, security policies configured, cryptographic algorithms decided, and so on. Even after that phase is complete, you still need to test and troubleshoot.

M P L S does away with all of those headaches. You don’t need to purchase any equipment and you don’t need to understand security because there’s nothing to secure. MPLS is a simple private network as straightforward as if you were connecting your sites “point to point”. You connect your main, backup and remote sites to the M P L S network and you’re done. This is definitely the key benefit of MPLS.

While MPLS is simple to configure, and can reduce your rollout, there is a drawback: MPLS alone does not give your sites access to the Internet. Because MPLS puts your network on a private WAN, Internet connection is an entirely separate process. The solution requires you to first determine how much bandwidth you need to support all of your sites, then buy and position that bandwidth at the main site (and backup site if needed). Your remote sites then send packets through the M P L S backbone to the main site continuing on out to the Internet through that main site Internet connection. On the plus side, only one firewall is needed for the entire network and that is positioned at the main site, avoiding the need to install one at each remote site. Another small advantage is that Internet usage for the entire network is now monitored and managed at only one site, again, the main one, or headquarters.

While you have just solved your site-to-site connectivity issues and your Internet access, you now have another potential headache, which is that all sites are now accessing the Internet over the same pipe as your private site-to-site traffic. This is only an issue if someone at a remote site downloads a huge MP3 file and at the same time, your CEO is downloading his latest sales forecast report from that same branch office. Whoops. So M P L S definitely has a double edge to it when you find yourself sharing the same pipe for Internet and site-to-site critical data transfers.

Weighing The Options

So what’s the solution? There are multiple. You can run data compression before it hits the MPLS network, or store local copies and wait to replicate at night. You can increase your bandwidth to the M P L S network, or apply Quality of Service (QoS) to the packets.

If you have voice and video traffic flowing over your MPLS network, that can add another wrinkle. You need to start allocating bandwidth and reserving, differentiating and prioritizing your traffic. Voice is first, video is second, site-to-site is third, Internet is last. That means you “mark packets” at your core switch or edge routers.

Suddenly MPLS doesn’t seem so simple once you factor in data classification and QoS. But it still beats having to purchase $5k per site for a fancy firewall doing IPsec. The key is to use some of the savings to invest in careful design and planning from a QoS expert.

The Money Issue

Which brings us to cost. Typically an M P L S link is about the same price as a T1 Internet link. So if you have one main site and five remote sites, and the average price on the T1 is $500, you would usually buy two MPLS T1s at the main site, and five single MPLS T1s at each remote site. Your monthly cost would be $3500. For five sites, you would need at least two T1s for internet access at the main site. That puts you at $4500 per month. In an IPSEC multi-firewall configuration your remote sites already have internet access, so you would just need to buy seven Internet T1s, for a total of $3500 per month. M P L S typically costs more than Internet T1s, not in loop costs, but to cover the price of the additional T1s required at the main site to reach the internet.

So Why M P L S?

So if MPLS is more expensive than Internet T1s using IPSEC firewall VPNs, why go M P L S? Well, IPSEC firewalls cost money. They are an up-front capital cost, and not a recurring charge. They also require technical know-how and resources to maintain, not just at the main site but at each remote site also. The more sites you have, the more firewalls to maintain. That is an indirect expense that comes in the form of employee cost. Some ISPs, such as ourselves here at Tierzero* offer IPSEC or GRE services which is a more affordable alternative.

Safety

Security is another benefit factor for those considering MPLS. M P L S is very secure because it is virtually a private link. No Internet, no security threat. Many banks, government institutions and security agencies require the security of MPLS because the Internet is vulnerable to attacks, hackers and other malicious activity. IPSEC encryption is only as secure as your last employee. Internet T1s have public IP address space which leaves room for human error, such as bad firewall rules. MPLS T1s are private and since nothing is exposed, there is no exposure. The only place the network could be hacked into is through the Internet T1 connection, not the M P L S T1s. But that’s why you have the firewall at the main site. Keeping track of one firewall is far easier than keeping track of six or more at every remote site. MPLS decreases your vulnerability from multiple points to a single point. This is good, very good.

Commitment

Contractual obligations are another key factor in the equation of WAN connectivity. All of your sites may not have all the same contract end dates. This is a drawback because M P L S usually requires you to move all circuits at once, if you don’t want to end up double paying for service. One option is to hold on to your Internet connection to the main site while replacing your IPSEC Internet T1s with MPLS T1s. This way you fulfill your contractual obligations but still move your network to M P L S. If this doesn’t work, then consider running a hybrid of MPLS and IPsec and as your contracts expire, you can move your circuits from the IPSEC to MPLS. Still some ISPs may allow you to move their Internet T1s to an M P L S T1 if they have the offering.

And So...?

In conclusion, M P L S can give you significant benefits in terms of simplicity, scalability and security. Its drawback is monthly expense and the need for packet classification and prioritization. IPsec VPNS can give you savings in monthly expense, but bring extreme complexity and maintenance obligations as well as higher upfront costs. These are the factors you need to weigh before opting for either solution.